X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=netbsd-1.1%2Fslcompress.c;h=c46c57f7f14a075a99f5cc9fe6326535ca4fbce2;hp=7a0e24e43408f0df52c24f808bcf410824627abb;hb=0f4ddcb519d4c9cf0c0ca59fc4723aeb6e9e17d0;hpb=b24b1caea979df10873f966d1df3586759b5a7a4;ds=sidebyside

diff --git a/netbsd-1.1/slcompress.c b/netbsd-1.1/slcompress.c
index 7a0e24e..c46c57f 100644
--- a/netbsd-1.1/slcompress.c
+++ b/netbsd-1.1/slcompress.c
@@ -1,4 +1,4 @@
-/*	$Id: slcompress.c,v 1.2 1996/04/04 04:17:44 paulus Exp $	*/
+/*	$Id: slcompress.c,v 1.3 1996/05/24 07:04:47 paulus Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993, 1994
@@ -477,9 +477,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
-		hlen += ((struct tcphdr *)&((int32_t *)ip)[hlen])->th_off;
-		hlen <<= 2;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		 */
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > buflen)
+			goto bad;
+		hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+		if (hlen > MAX_HDR || hlen > buflen)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_hlen = hlen;
 		INCR(sls_uncompressedin)